Malicious JSON RPC request unit test (#1884)

* Sanitize JSON RPC response * Logs * Add another test case, revert HTML escape
0xPolygon · Sep 12, 2023 · 4a45018 · 4a45018
1 parent c49733b
commit 4a45018
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 22 deletions.
diff --git a/jsonrpc/jsonrpc.go b/jsonrpc/jsonrpc.go
@@ -313,7 +313,6 @@ func (j *JSONRPC) handleJSONRPCRequest(w http.ResponseWriter, req *http.Request)
 	j.logger.Debug("handle", "request", string(data))
 
 	resp, err := j.dispatcher.Handle(data)
-
 	if err != nil {
 		_, _ = w.Write([]byte(err.Error()))
 	} else {

diff --git a/jsonrpc/jsonrpc_test.go b/jsonrpc/jsonrpc_test.go
@@ -4,32 +4,20 @@ import (
 	"bytes"
 	"encoding/json"
 	"net"
+	"net/http/httptest"
+	"strings"
 	"testing"
 
+	"github.com/hashicorp/go-hclog"
+	"github.com/stretchr/testify/require"
+
 	"github.com/0xPolygon/polygon-edge/helper/tests"
 	"github.com/0xPolygon/polygon-edge/versioning"
-	"github.com/stretchr/testify/assert"
-
-	"github.com/hashicorp/go-hclog"
 )
 
 func TestHTTPServer(t *testing.T) {
-	store := newMockStore()
-	port, portErr := tests.GetFreePort()
-
-	if portErr != nil {
-		t.Fatalf("Unable to fetch free port, %v", portErr)
-	}
-
-	config := &Config{
-		Store: store,
-		Addr:  &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: port},
-	}
-	_, err := NewJSONRPC(hclog.NewNullLogger(), config)
-
-	if err != nil {
-		t.Fatal(err)
-	}
+	_, err := newTestJSONRPC(t)
+	require.NoError(t, err)
 }
 
 func Test_handleGetRequest(t *testing.T) {
@@ -51,12 +39,12 @@ func Test_handleGetRequest(t *testing.T) {
 
 	response := &GetResponse{}
 
-	assert.NoError(
+	require.NoError(
 		t,
 		json.Unmarshal(mockWriter.Bytes(), response),
 	)
 
-	assert.Equal(
+	require.Equal(
 		t,
 		&GetResponse{
 			Name:    chainName,
@@ -66,3 +54,62 @@ func Test_handleGetRequest(t *testing.T) {
 		response,
 	)
 }
+
+func TestJSONRPC_handleJSONRPCRequest(t *testing.T) {
+	t.Parallel()
+
+	j, err := newTestJSONRPC(t)
+	require.NoError(t, err)
+
+	cases := []struct {
+		name             string
+		request          string
+		expectedResponse string
+	}{
+		{
+			name: "malicious input (XSS attack)",
+			request: `{"jsonrpc":"2.0","id":0,"method":"eth_getBlockByNumber","params":["latest",false]}
+<script>alert("XSS attack");</script>`,
+			expectedResponse: `{"jsonrpc":"2.0","error":{"code":-32600,"message":"Invalid json request"}}`,
+		},
+		{
+			name:             "valid input",
+			request:          `{"jsonrpc":"2.0","id":0,"method":"eth_getBlockByNumber","params":["latest",false]}`,
+			expectedResponse: `{"jsonrpc":"2.0","id":0,"result":{`,
+		},
+	}
+
+	for _, c := range cases {
+		c := c
+
+		t.Run(c.name, func(t *testing.T) {
+			t.Parallel()
+
+			req := httptest.NewRequest("POST", "/eth_getBlockByNumber", strings.NewReader(c.request))
+			req.Header.Set("Content-Type", "application/json")
+
+			w := httptest.NewRecorder()
+
+			j.handleJSONRPCRequest(w, req)
+
+			response := w.Body.String()
+			require.Contains(t, response, c.expectedResponse)
+		})
+	}
+}
+
+func newTestJSONRPC(t *testing.T) (*JSONRPC, error) {
+	t.Helper()
+
+	store := newMockStore()
+
+	port, err := tests.GetFreePort()
+	require.NoError(t, err, "Unable to fetch free port, %v", err)
+
+	config := &Config{
+		Store: store,
+		Addr:  &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: port},
+	}
+
+	return NewJSONRPC(hclog.NewNullLogger(), config)
+}